1. Field of the Invention
This invention relates generally to authentication servers and, more particularly, to discovering authentication servers and establishing trust relationships therewith.
2. Description of Background
Federated identity allows a user of a computing device to log on to a given website or server, have their identity authenticated, and then permit that website or server to vouch for their identity while they try to gain access to other websites, servers, or networks. For example, employees who need to look up information regarding heath care benefits typically have to access a third-party website by entering a log-on name and a password specific to that third-party website. However, federated identity enables these employees to automatically link to the third-party website without the necessity of logging onto the site via a site-specific log-on name and password. One illustrative example of federated security software is Tivoli Federated Identity Manager (TFIM). TFIM is compatible with several federated identity standards and specifications, including Liberty, Security Assertion Markup Language (SAML), Web Services Federation (WS-Federation), WS-Security and WS-Trust. TFIM uses a federated identity manager that allows users to sign on for internal and external services throughout a company and to contact any of the company's partners authorized to use TFIM.
In order to implement federated identity procedures, existing authentication systems must be explicitly federated together using federated security software such as TFIM. However, when existing federated security software packages are utilized, intra-domain relationships between previously separate authentication registries must be statically defined by an administrator, even in the context of TFIM. Statically defining these relationships requires significant administrative overhead for aligning policies from different domains and does not facilitate dynamic security mechanisms. A need therefore exists for improved methods by which federated identity procedures may be implemented. A solution that addresses, at least in part, the above and other shortcomings is desired.